You can actually use Traefik to do something similar using its Docker service discovery. Instead of being a SOCKS proxy, Traefik is a reverse proxy, and you can combine with `lvh.me` which resolves all subdomains to localhost. I don't use this technique any more, but a functional example command can be seen here: https://github.com/CGamesPlay/dotfiles/blob/c49e2b4ddd0fe591...
I think that puts it into an entirely different category. SOCKS proxies are great, as they don't require you to try and bend all domain names the correct way. In a typical intranet or proxied container cluster setup, you quickly end up hitting some application logic that e.g. returns back an absolute URL (breaking your manual usage of lvh.me), or uses non-default HTTP ports, or one of many other ways that break if you try to use a lvh.me-like setup or remapping DNS entries to localhost.
You're correct, but in practice I never had that issue. All the applications I used this technique with were easily able to set the "site root URL" via an environment variable or something similar.
To show the other side of the coin: SOCKS proxies are less convenient, as they require you to configure your entire browser (your entire system on macOS) to use it.
> To show the other side of the coin: SOCKS proxies are less convenient, as they require you to configure your entire browser (your entire system on macOS) to use it.
It is no big deal. The blog post shows the usage of a pac file which only redirects the local .podman tld to the socks proxy.
It is only maybe an issue if you are using a company issued computer already using a pac file from a GPO. But in that case you can totally decide to dedicate a browser for it and setup the socks proxy only for it. Choices.
> All the applications I used this technique with were easily able to set the "site root URL" via an environment variable or something similar
Yeah that often works, but also requires running things locally or redeploying them. For quick debugging, trying to use the service without altering it is more convenient.
> as they require you to configure your entire browser (your entire system on macOS) to use it
See my other comment. I'm on macOS, and I'm quite happy with FoxyProxy, which allows for individual pages to use a SOCKS proxy based on a regex (or just via an on/off toggle).
For managing SOCKS proxy usage in the browser, I can highly recommend FoxyProxy[0]. I'm using it for about a dozen different SOCKS proxy setups, and it also exists for both Firefox and Chrome, making it easy to share a similar setup with colleagues.
With regular docker or podman it was always easy and useful to forward a containers port over ssh. Does anyone know how to just as easily do that (i.e. with a single command) for rootless podman?
With or without binding a host port? With a host port it should Just Work, without... I'm not sure why it wouldn't route just as well, actually; I don't think `ssh -L` acts differently than anything else, does it? Actually let me back up: What are you doing, and what does it currently do with podman?
Without binding a host port. I have a remote server where my containers run and want to forward their ports directly to my local machine without binding to a host port there. That of course works with a regular bridge but not with rootless containers.
The project being discussed in this post is https://codeberg.org/valpackett/podfox#podfox
You can actually use Traefik to do something similar using its Docker service discovery. Instead of being a SOCKS proxy, Traefik is a reverse proxy, and you can combine with `lvh.me` which resolves all subdomains to localhost. I don't use this technique any more, but a functional example command can be seen here: https://github.com/CGamesPlay/dotfiles/blob/c49e2b4ddd0fe591...
I think that puts it into an entirely different category. SOCKS proxies are great, as they don't require you to try and bend all domain names the correct way. In a typical intranet or proxied container cluster setup, you quickly end up hitting some application logic that e.g. returns back an absolute URL (breaking your manual usage of lvh.me), or uses non-default HTTP ports, or one of many other ways that break if you try to use a lvh.me-like setup or remapping DNS entries to localhost.
You're correct, but in practice I never had that issue. All the applications I used this technique with were easily able to set the "site root URL" via an environment variable or something similar.
To show the other side of the coin: SOCKS proxies are less convenient, as they require you to configure your entire browser (your entire system on macOS) to use it.
> To show the other side of the coin: SOCKS proxies are less convenient, as they require you to configure your entire browser (your entire system on macOS) to use it.
It is no big deal. The blog post shows the usage of a pac file which only redirects the local .podman tld to the socks proxy.
It is only maybe an issue if you are using a company issued computer already using a pac file from a GPO. But in that case you can totally decide to dedicate a browser for it and setup the socks proxy only for it. Choices.
> All the applications I used this technique with were easily able to set the "site root URL" via an environment variable or something similar
Yeah that often works, but also requires running things locally or redeploying them. For quick debugging, trying to use the service without altering it is more convenient.
> as they require you to configure your entire browser (your entire system on macOS) to use it
See my other comment. I'm on macOS, and I'm quite happy with FoxyProxy, which allows for individual pages to use a SOCKS proxy based on a regex (or just via an on/off toggle).
For managing SOCKS proxy usage in the browser, I can highly recommend FoxyProxy[0]. I'm using it for about a dozen different SOCKS proxy setups, and it also exists for both Firefox and Chrome, making it easy to share a similar setup with colleagues.
[0]: https://getfoxyproxy.org
I dunno. I just use orbstack and everything works. Containers have their own IP, dns, and https certificates
Unfortunately page is completely blank (iOS Safari)
Same, here's an archive https://web.archive.org/web/20250509050906/https://val.packe...
Blank for me too (Windows Firefox), ublock off.
Turn off your content blockers? Comes up fine for me. Or maybe add some? ;)
I have firefox and content blockers and it works fine for me. On Linux.
Maybe they simply banned some user agents commonly used by IA scrapers.
This is such a great post full of cool little tricks for immutable OS users. Thanks for posting!
With regular docker or podman it was always easy and useful to forward a containers port over ssh. Does anyone know how to just as easily do that (i.e. with a single command) for rootless podman?
With or without binding a host port? With a host port it should Just Work, without... I'm not sure why it wouldn't route just as well, actually; I don't think `ssh -L` acts differently than anything else, does it? Actually let me back up: What are you doing, and what does it currently do with podman?
Without binding a host port. I have a remote server where my containers run and want to forward their ports directly to my local machine without binding to a host port there. That of course works with a regular bridge but not with rootless containers.
Very cool. This proxy should be a Podman feature.